Skip to content

How To Blog

how to

  • A Guide To The Angry Birds Games: Which Ones Are The Best? Gaming
  • Top 10 Differences between Windows 7 and Windows 8/10 Windows 10
  • Garmin connect app for windows 10 Software Reviews
  • How to Move Files in Mac OS X OS X
  • 12 Best Slack Alternatives for Team Communication Software Reviews
  • Compress Bulk Images Without Losing Quality How-To
  • 5 Reddit Subreddits You Wouldn’t Believe Exist (Which Are Not Porn)

    5 Reddit Subreddits You Wouldn’t Believe Exist (Which Are Not Porn)

  • How To Find & Play 1980s & 1990s Console Games On Your PC Gaming

Using Wireshark to Sniff an SMB transmission

Posted on October 9, 2020 By blog_786 No Comments on Using Wireshark to Sniff an SMB transmission

Ever wonder what happens under the hood when you connect to a Windows share? There is one easy way to find out. Use a packet sniffer like Wireshark.

What is Wireshark?

Wireshark is an easy-to-install and easy-to-use packet capture tool that is supported on both Windows and Linux. On Windows, Wireshark uses the Windows Pcap module as its primary mechanism for capturing packets. Wireshark sits on top of Pcap to provide an easy-to-use interface and packet filter.

Using Wireshark to Sniff an SMB transmission

The easiest way to monitor packets between two machines is to simply install Wireshark on one of the two machines and then configure a filter to view traffic. In this example, we will monitor traffic between a Windows 10 client computer and a Windows 2012 server.

Create a file share

First, we’ll set up a share on a Windows 2012 machine. On a Windows 2012 machine, create a new folder and name it “Share.” Right click and select Properties. Go to the Sharing tab and select Share. Allow a user with administrative rights to access the share with read and write access. In this case, the administrator is already the owner of the shared folder.

Using Wireshark to Sniff an SMB transmission

Confirm that your share is listening with the net share command.

Using Wireshark to Sniff an SMB transmission

Client setting

Then, on a Windows 10 machine, we will connect to our newly created network share using the command line.

Using Wireshark to Sniff an SMB transmission

After confirming the connection to the share, it’s time to see what happens. Let’s install Wireshark on a Windows 10 computer. Wireshark is available for download from www.wireshark.org In this example, we will use Wireshark-win64-2.6.6.exe. Just click Next and select all the defaults in the setup wizard.

When launching Wireshark, the first step is always to launch the capture on the designated interface. From the Wireshark menu go to Capture | Parameters. Select the desired listening interface and start capturing. In this case, we only have one network adapter to choose from.

Using Wireshark to Sniff an SMB transmission

After listening, you will see all traffic on the interface.

Using Wireshark to Sniff an SMB transmission

Traffic Filter

In order to see only the traffic participating in the SMB exchange, we need to configure some filters. If you don’t know all the filtering commands, Wireshark has a user-friendly graphical interface that you can use to customize your filters. In the top bar next to the search bar, select Expression. The “Wireshark – Display Filter Expression” window opens.

Using Wireshark to Sniff an SMB transmission

In this window, navigate through the protocol to find the appropriate filter. In this case, the simplest introductory filter for narrowing our traffic is restricting traffic by IPv4 address.

We will go to the IPv4 address and set ip.addr == 192.168.31.201, which is the IP address of the SMB share. The same command can simply be entered directly into the search bar if you are a more experienced Wireshark user. Traffic is now only limited to traffic between our client and the Windows 2012 server.

Let’s see if we can get more information from this capture. Let’s delete the share first. On Windows 10, run Command Prompt as administrator and type net use \ 192.168.31.201 share delete. Below is an example of a TCP stream during deletion. This time, a little more information is provided in the open.

Using Wireshark to Sniff an SMB transmission

Then we will restart the entire connection from the beginning to make sure our credentials are protected. First, confirm that the session is not established by running netstat and filtering out any ESTABLISHED sessions. Then reconnect to the share with explicit credentials and then follow TCP flow.

Using Wireshark to Sniff an SMB transmission

Hooray! No passwords in clear text. However, I can see the username. It might be time to move to SMBv3.

Using Wireshark to Sniff an SMB transmission

This simple example demonstrates how to use Wireshark to monitor network connections. Wireshark can be used to listen for all network traffic to troubleshoot connectivity issues, or to determine if there is clear text in a packet exchange, which should be further protected. Wireshark is another tool that can be added to your security arsenal. Happy sniffing!

How-To Tags:Client setting, Create a file share, Traffic Filter, Using Wireshark to Sniff an SMB transmission, What is Wireshark?

Post navigation

Previous Post: Enable Encryption for Microsoft SQL Server Connections
Next Post: How to Configure IPSec on Windows

Related Posts

  • Flash Going in 2020 – Here’s How To Download Flash Games to Play Forever How-To
  • How To Set Up & Use a Browser Sandbox On Windows How-To
  • How to Use Google Docs Offline: Complete Guide How-To
  • How to Mute a Browser Tab in Chrome, Safari, Firefox, and More How-To
  • What Is a Gravatar & How Do You Set One Up? How-To
  • 10 Things You Can Do With An Extra PC How-To

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

  • Apple Watch
  • Computer Tips
  • Cool Websites
  • Free Software Downloads
  • Gadgets
  • Gaming
  • General Software
  • Google Software/Tips
  • Hardware
  • How-To
  • iOS
  • iPad
  • iPhone
  • Linux Tips
  • macOS
  • MS Office Tips
  • Networking
  • Product Reviews
  • Reviews
  • Safari
  • Smart Home
  • Smartphones
  • Software Reviews
  • technology
  • text
  • Tutorials
  • Uncategorized
  • Urdu Books PDF
  • Web Site Tips
  • Windows
  • Windows 10
  • January 2023
  • December 2022
  • November 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • December 2019
  • July 2019
  • May 2019
  • April 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018

2021 Android ) Apple apps Best browser change Chrome Closing words Concluding remarks Download email Error Facebook From Google Image Internet Keyboard Mac make Movies Music online Packaging phone? Photos Print Shortcuts sites Switch Time Tips Tricks turn using Video Videos Watch What With Word Working? your YouTube

  • 99 Ways to Make Your Computer Blazingly Fast How-To
  • How to delete a user in Windows 10,2021 Windows 10
  • How to Format USB Drive and Memory Stick with NTFS Computer Tips
  • How to protect your home’s wireless network Product Reviews
  • CD or DVD Drive Won’t Eject or Open? How-To
  • Everything You Need To Know About The MacBook Pro Touch Bar Hardware
  • Best hp 15c calculator 2020

    Best hp 15c calculator 2020

  • How to Sign PDF on Windows 10 Computer Tips

Copyright © 2023 How To Blog.

Powered by PressBook News WordPress theme

Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}
Go to mobile version